[dev] Re: [cvs] commit: horde/services go.php
Jan Schneider
jan at horde.org
Thu Aug 12 01:39:25 PDT 2004
Zitat von Chuck Hagenbuch <chuck at horde.org>:
> Quoting Jan Schneider <jan at horde.org>:
>
>> Redirecting embedded images like
>> <img src="admin/user.php?action=delete&user=all" />
>
> Hmm. This means you can cause Horde, with no auth, to essentially do a remote
> bandwidth-sucking attack. I think we should rethink this.
That's already the case now, though a simple redirect is of course not as
bandwidth/performance hogging as an fpassthru(). We could do a simple Auth
check without loading the full registry. But in this case
Horde::externalUrl() needs to check if the user is not authenticated to
don't do the redirect for guests.
> Could go.php simply refresh to itself until the SID is out of the URL?
The refresh is not the problem, we do it for non-cookie sessions only
anyway.
This
> isn't even an issue for cookie-based sessions, right?
It is unfortunately, as long as the user is authenticated.
Jan.
--
Do you need professional PHP or Horde consulting?
http://horde.org/consulting.php
More information about the dev
mailing list